Bug #1590
closed
Snort Will Not Start
0%
Description
Hello all-
I just upgraded my pfsense firewall (from a snap on Tuesday May 31 to a snap today 2.0-RC2 (amd64) built on Tue Jun 7 06:12:50 EDT 2011).
After I update SNORT with my oinkcode, add the interface and categories etc. it will not start. If I try and start it via command line this is the error I get: '/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"'.
I unchecked all the categories I had selected and tried to restart the SNORT service, didn't make a difference.
I also tried:
[2.0-RC2][admin@pfsense.localdomain]/root(1): ln -s /lib/libpcap.so.7 /lib/libpc ap.so.1
[2.0-RC2][admin@pfsense.localdomain]/root(2): snort
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 28 09 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 82 43 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_d ynamicpreprocessor/": No such file or directory.
Fatal Error, Quitting..
[2.0-RC2][admin@pfsense.localdomain]/root(3):Other people have done clean installs with the latest snaps and haven't had any luck getting it to run either.
Thanks,
th3r3isnspoon
Updated by Andrew Mitchell almost 13 years ago
In the latest release of pfsense 2.0-RC2 I can't get Snort to start.
While my console output is the same as listed above, the syslog reveals the following:
Jun 9 07:12:19 SnortStartup63658: Snort HARD Reload For 34679_sis0...
Jun 9 07:12:19 snort56907: FATAL ERROR:
/usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output
plugin: "alert_pf"
Jun 9 07:12:19 snort56907: FATAL ERROR:
/usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output
plugin: "alert_pf"
Line 207 of the above file is:
output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2cLooked into snort.inc, looks like snort supposed to fetch perl-threaded-5.12.1_1.tbz as dependency. I couldn't find anywhere. The link to the file seems broken. I think this is the cause of this issue.
Updated by Cino . over 12 years ago
Can this be reopened? All week I've been helping Ermal test i386 platform. I've done a fresh amd64 install and received the following error when Block Offenders is checked:
Aug 6 10:08:24 snort33631: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
Aug 6 10:08:24 snort33631: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
Updated by Chris Buechler over 12 years ago
this particular issue is fixed. the one you noted is in #1753
Updated by Brett Ussher over 12 years ago
This issue is back again in RC3. I found the following fix in the forums:
http://forum.pfsense.org/index.php?topic=37557.0
which states to do a "ln -s /lib/libpcap.so.7 /lib/libpcap.so.1" and that seems to have fixed that problem.
I will say that the snort module is sensitive, like the actual snort.conf file, to spaces after commas when listing ports or ip addresses. It doesn't work. Though, there is no useful error generated within the module when this happens. In fact, there is never an error listed in the module. It simply states it started whether or not snort actually did. But, that is a different issue.
Updated by Brett Ussher over 12 years ago
I used the above command, which fixed that issue. However, after turning on some more Snort rules categories, when I tried to start Snort, I got messages about a missing folder, "/usr/local/lib/snort/snort_dynamicpreprocessor/". Notice the underscore ("_").
To fix that issue, I wound up making three more symlinks:
Quote
ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
I then had an issue with snort unable to find "local.rules". To fix this (and I have no idea why this works) I had to manully update the rules (again, since they were already up to date) and then wait about five minutes. I discovered this by updating the rules by chance (read: desparation), then, when it failed to start, looking online for a few minutes before, out of desparation, trying to start Snort again only to see it work. Once all of the above was completed, Snort started. I do not know if the rules update helped or not, but I know that when I made a change to my "Performance" by changing AC-SPARSEBANDS to AC-STD, when I restarted Snort it would not work. After running the rules update again and waiting a few minutes, it started right up.
Hope this helps folks.
Updated by Brett Ussher over 12 years ago
Another update. Just tried rebooting the server -- no updates were done or any changes to configuration or addition/deletion of any packages. When the server came back up, Snort would not start. When I started Snort manually from the command line, it gave that same FATAL ERROR about not being able to locate /usr/local/etc/snort/../rules/local.rules. I let the box sit for about 10 minutes and tried to start Snort again thinking something just needed to catch up. No dice. So, I re-ran the rules updater. It didn't update any of the rules, though the operation was successful (which makes since, the rules were up to date already). Still no dice. I ran the updater a second time and Snort was able to start up immediately. I can reproduce this anytime just by rebooting the server.
To fix this, I had to create the file using the following command:
touch /usr/local/etc/snort/rules/local.rules
I know that the Snort error message use the path "/usr/local/etc/snort/../rules/local.rules", but you need to remove the "../" in order for the touch command to work (since the /usr/local/etc/rules/ folder does not exist). Once the local.rules file exists, you can reboot the pfSense server all day long and Snort will start up at boot time automatically.
Okay, I think that concludes all of the odd little tweaks one has to do to get Snort to run under pfSense v2.0-RC3. I hope...
Updated by Brett Ussher over 12 years ago
the only snag that I think might cause an issue is a future rules update since that flushes the rules folder. if local.rules is deleted, then it will have to be recreated. I would like to add the touch command to the bootup init scripts, someplace before the Snort service starts. But, I'm not as familiar with FreeBSD, so I'm not entirely sure where that would be. As it stands, I might have to re-run this touch command after rules are updated, though it will work otherwise.
At any rate, as a recap of all I've done to get Snort to work, I'm listing all of the commands here:
1.) ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
2.) ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
3.) ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
4.) ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
5.) manually update the Snort rules.
6.) touch /usr/local/etc/snort/rules/local.rules
Updated by not availible over 12 years ago
amd64
pfsense rc3
Snort
Notes:
Snort seems to be still down
alerts tab clear log seems to be broken